Log In

Spooks are not compatible with IT security

[Blog post] Trust is gone.

Can a spy agency also be a security service in the true sense of the word, keeping a country's information technology and communications networks safe?

Kiwis will soon know the answer to that question as New Zealand has now by law tasked one of its spy agencies, the Government Communications Security Bureau, to take on that role.

As a result, telcos, internet and service providers will need to consult with the GCSB on proposed substantial network changes, in the interest of national security.

Until this month, Kiwi and overseas network operators in the country were able to decide on how they built their networks and where to buy the gear. With this new law that right has been partly taken away from them.

Will intelligence agency vetting of network designs make the NZ internet users and businesses more secure?

Probably not; that kind of role just isn't compatible with the spies' other job, which is to work in an offensive capacity to stay ahead of a nation's enemies.

With that territory comes a different attitude to information sharing: intelligence services will quite naturally look at say a newly discovered vulnerability and evaluate who needs to know about it?

How soon will that information arrive to affected customers, and will it be in full?

Could that exploit be used against adversaries (or allies) if it isn't immediately plugged?

Withholding information from the wider community would be considered unethical for private security firms and researchers. Stockpiling, using or selling exploits could land them in hot water.

That's not the case for national security agencies, as the Snowden leaks continue to show. In fact, it could be argued that they're derelict in their duties if they don't make full use of what they know, rather than informing and protecting the public by making the problem go away.

While supposedly independent servants of the state, intelligence bureaus are subject to the same political pressures of other government agencies. Equipment from one country might be favoured over that from another nation, for political reasons.

Under those circumstances, hoping that spy agencies will act with an organisation's best interests in mind as they vet network designs, procurement proposals and in some cases, staff security clearance, could end up as a game of Russian Roulette.

The relationship between spy agencies and techies has deteriorated to the point that standards body Internet Engineering Task Force has now published an RFC that recommends countermeasures against mass surveillance to be built into future protocols.

Long ago, IETF never considered adding wiretapping capabilities to protocols as that would weaken them by default and make them inherently less secure.

Yet this is exactly what spy agencies want done either officially, as is the case in New Zealand or clandestinely, as in the US where the NSA allegedly meddled with the National Institute of Standards and Technology's crypto development process.

Ironically, NIST now faces an uphill slog to regain the trust it needs to do the job the government has assigned to it, namely to develop security standards.

The never-wavering belief that poachers can turn gamekeepers at any time isn't just wishful thinking, it is a fundamentally flawed notion when applied to IT security which relies on timely, shared information and quick action.

"We simply cannot operate this way," the chief executive of Cisco, John Chambers wrote in an open letter [PDF] to United States president Barack Obama, after photographs were exposed allegedly showing the country's National Security Agency secretely inserting backdoors into the network vendors' equipment prior to delivery to customers.

Chambers is right: businesses and network service providers cannot operate that way under the shadow of unreliable and uncommunicative intelligence agencies.

Experience has shown that we can't trust the spooks. Everyone from the general public to businesses will be better served if they are kept at an arm's length, and don't have final say in security matters.

Juha Saarinen has been covering the technology sector since the mid-1990s for publications around the world. He has been writing for iTnews since 2010 and also contributes to the New Zealand Herald, the Guardian and Wired's Threat Level section.
He is based in Auckland, New Zealand. Google

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.